Over the last several years, the use of the internet by individuals and business entities has increased significantly as the internet has become established as a mechanism to disseminate information. The internet presents information to a user using a web browser that is located on his or her computer. The web browser retrieves and displays web pages from various web servers connected to the internet. This widespread use of the internet has given rise to applications in which access to resources such as data, web pages, functional software operations, and the like needs to be limited to a small set of known and authorized users.
As the variety of web based applications increases, the number of different mechanisms used to authenticate the identity of a user who is attempting to access web resources has increased. These mechanisms differ in their complexity as each mechanism attempts to provide a particular level of assurance of the identity of the requesting user. This level of assurance is typically balanced against the computational cost and complexity to reach a given level of assurance. For example, when accessing banking records over the internet, a bank customer may be willing to accept a lower level of assurance to see personal banking data such as address and recent transaction history in exchange for the speed, cost, and reduced complexity needed to access the data. However, the customer and the bank may not be willing to accept the lower level of assurance for the identity of a user when the request being processed involves transferring finds from the user's account. Because it is expected that inspecting data is a more frequent occurrence than transferring finds, the above cost-benefit tradeoff may be reasonable.
Secondly, the authentication mechanisms sometimes differ because they provide services in differing software environments. For example, an authentication mechanism suited for use within a corporation, may be unsuitable on the Internet. One reason for this could be, that you would expect everyone in your corporation to use the same client (Internet browser). On the other hand, on the Internet, you would expect users to use different clients to access resources on your web-server.
The increased use of the internet to provide users access to data and processing resources has also given rise to a widely distributed computing environment. This computing environment may be characterized as having a multitude of accessible resources connected to a widely available communications network. These accessible resources are typically set up and maintained as independent processing systems that each possess an individual set of parameters used to characterize and describe the users who may access the available resource. A single user may access resources available on a first server within the capacity of a customer of a bank. This user may access other resources on a server as an employee of a corporation. This user may access another set of resources on the web as a trusted party. In each of these transactions, the same user will typically be given different access privileges to the corresponding resources according to the “role” the user has with respect to each resource. The definition of these roles and the relationship between the roles and individual users are specified by each server for each resource made available to users.
Currently, the authentication of users is typically implemented with a userID and a password. After authentication of a userID, access to resources may be granted based upon whether the userID is permitted access. The use of roles to group collection of userIDs into groups of users having identical access has occurred. However, the use of these roles has always been part of a process that combines the authentication of userIDs, to obtain the roles, with the authorization of access to the resources using the roles. This combination of the authentication operations with the access authorization operation prevents the easy use of different authentication functions within a single system to obtain differing levels of assurance for resources commonly located within a single system. Secondly, due to various reasons, the web server may have to support more than one authentication schemes. Eg. All web server clients (“Internet browsers”) may not support a particular functionality, which prevent using some authentication schemes. To make sure that users using different Internet browsers are able to communicate with the web server, the web server may want to support more than one authentication scheme. If different authentication functions are to exist within a single system as described above, then the role based access authorization functions typically have been reproduced with separate role-based systems for each corresponding authentication system. This duplication of functionality is unnecessary and adds additional complexity to the web server implementation.